Payment SDK
What Is a Payment SDK? Definition and How It Works
Definition
A payment SDK is a software development kit provided by a payment company that abstracts the technical complexity of payment integration, providing pre-built libraries, UI components, and API wrappers for web and mobile payment acceptance.
How it works
A payment SDK packages the code a merchant would otherwise have to write themselves: the API call construction, error handling, card data collection UI, 3DS flow management, and response parsing. Merchants include the SDK in their application, configure it with their API credentials, and invoke its methods to initiate payment flows without building each component from scratch.
Web SDKs are typically JavaScript libraries served from the payment provider's CDN or installed via a package manager. They handle card data input fields in the browser, often rendering as iframes to keep raw card data off the merchant's domain, and return a token or payment result to the merchant's JavaScript for downstream processing.
Mobile SDKs are native libraries for iOS and Android. They handle in-app payment UI, NFC-based tap-to-pay flows, and integration with device wallets (Apple Pay, Google Pay). Mobile SDKs abstract the complexity of biometric authentication, device token provisioning, and platform-specific payment APIs.
SDK maintenance is an ongoing obligation. Payment providers release SDK updates to address security vulnerabilities, add support for new payment methods, and maintain compatibility with evolving mobile operating system versions. Merchants running outdated SDK versions risk payment failures when underlying APIs or OS behaviours change without warning.
Why it matters
Unmaintained SDKs create operational risk: a mobile OS update that breaks an outdated SDK can take in-app payments offline without any change on the merchant's side. SDK version pinning and a testing process for OS updates are necessary for production reliability.
SDK choice affects PCI scope in web contexts: SDKs that render card input fields as iframes hosted on the provider's domain keep card data off the merchant's environment. SDKs that pass raw card data through the merchant's JavaScript do not. The implementation model determines whether SAQ A or a broader PCI assessment applies.
SDK versioning creates maintenance overhead: each SDK update must be tested against the merchant's checkout flow before deployment. Merchants with frequent release cycles can manage this; merchants with infrequent release cycles may run outdated SDK versions longer than is safe.
Third-party SDK dependencies carry supply chain risk: any SDK included in a checkout page is a potential attack vector for formjacking (malicious script injection to steal card data). Merchants should enforce subresource integrity checks on externally served scripts.
With PXP
PXP provides web and mobile SDKs for iOS, Android, and JavaScript environments. PXP's JavaScript SDK renders card input fields as iframes hosted on PXP's PCI-certified infrastructure, maintaining SAQ A eligibility for merchants using the hosted field approach. SDK release notes and changelog are published with each version.
Frequently asked questions
What's the difference between a payment SDK and a payment API?
A payment API is the interface that defines how systems communicate with a payment provider, the endpoints, request formats, and response structures. A payment SDK is a pre-built library that wraps the API, providing ready-to-use functions and UI components so merchants do not have to implement API calls directly. The SDK is built on top of the API; using the API directly without an SDK requires more custom development.
How often should merchants update their payment SDK?
Merchants should update their SDK whenever the provider releases a security-related update, as a baseline. Beyond that, following each major version release is good practice to maintain access to new payment methods and performance improvements. Unmaintained SDKs eventually cause payment failures when underlying platform dependencies change, mobile OS updates are the most common trigger.
Do payment SDKs affect checkout conversion?
Yes. SDK performance, including load time, rendering speed, and error handling quality, directly affects checkout conversion. A slow-loading JavaScript SDK delays the card entry form from appearing. A mobile SDK with poor error messaging creates confusion on payment failures. Merchants should monitor SDK load times and checkout funnel metrics by SDK version to quantify the conversion impact of each release.
What is formjacking and how does it relate to payment SDKs?
Formjacking is an attack where malicious JavaScript is injected into a checkout page to intercept card data as it is entered. Third-party scripts included in checkout pages, including payment SDKs, are a common injection vector. Merchants should enforce subresource integrity (SRI) checks on external scripts and conduct regular checkout page script audits to detect unauthorised additions.
Revolutionize your business with PXP
Take complete control of your commerce and payments with one platform.
Get Started